1 Answer
1

Keccak was selected by NIST on October 2, 2012 as the winner of the contest. It is widely seen as a suitable alternative to SHA-2, because the design is so different from most previous hash standards that even if SHA-2 is broken, confidence in Keccak should be relatively unaffected. It is also very fast and simple to implement in hardware.

NIST and most other observers also have renewed confidence in SHA-2 based on the experience gained since the attacks on SHA-1 and MD5 came to light. So we now have an opportunity to incorporate both standards as options in the various security protocols, which allows us to pivot quickly if problems are discovered in either one, and to select one of the two algorithms based on their suitability for the intended use cases.

The initial hope was that a new hash could be found that was significantly more efficient than SHA-2, but achieving that with a high security margin has proved to be difficult. Some candidates are significantly faster than SHA-2, but that varies by platform (32-bit vs 64-bit vs "constrained" vs custom hardware).

Update: I have modified my library of hash functions (sphlib) for the tweaks incorporated in the five finalists. The source archive contains an update note with new benchmark; see saphir2.com/sphlib . The main point: on "small" 32-bit architectures (ARM, MIPS, Java on a 32-bit x86), SHA-256 outperforms all five SHA-3 candidates. Which is kind of sad.
–
Thomas PorninJul 22 '11 at 21:02